MITRE ATT&CK Framework

A globally accessible, curated knowledge base of adversary tactics and techniques based on real-world observations, used as a common language for describing and categorizing cyber threats.

What Is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive framework that catalogs the tactics, techniques, and procedures (TTPs) used by real-world adversaries. It provides a common language for describing attacker behavior and is used worldwide by defenders, vendors, and researchers.

ATT&CK Matrix Structure

The framework is organized into:

  • Tactics: The adversary's objective (the "why") — 14 tactics from Initial Access to Impact
  • Techniques: How the objective is achieved (the "what") — ~200 techniques
  • Sub-techniques: Specific variations of techniques — ~400 sub-techniques
  • Procedures: Specific implementations by threat groups

The 14 Tactics

| # | Tactic | Objective | |---|---|---| | 1 | Reconnaissance | Gather information about the target | | 2 | Resource Development | Establish resources for the attack | | 3 | Initial Access | Get into the network | | 4 | Execution | Run malicious code | | 5 | Persistence | Maintain access | | 6 | Privilege Escalation | Gain higher permissions | | 7 | Defense Evasion | Avoid detection | | 8 | Credential Access | Steal credentials | | 9 | Discovery | Learn about the environment | | 10 | Lateral Movement | Move through the network | | 11 | Collection | Gather target data | | 12 | Command and Control | Communicate with compromised systems | | 13 | Exfiltration | Steal data | | 14 | Impact | Disrupt, destroy, or manipulate |

How Organizations Use ATT&CK

  • Detection engineering: Map detection rules to specific techniques to identify coverage gaps
  • Threat intelligence: Describe adversary behavior using a common taxonomy
  • Red teaming: Plan exercises that emulate specific threat group TTPs
  • Vendor evaluation: Compare security products based on ATT&CK technique coverage (e.g., MITRE Engenuity evaluations)
  • SOC maturity: Measure detection coverage across the ATT&CK matrix
  • Incident response: Classify observed attacker behavior during investigations

ATT&CK Matrices

MITRE maintains separate matrices for different environments:

  • Enterprise: Windows, macOS, Linux, Cloud, Network, Containers
  • Mobile: Android, iOS
  • ICS: Industrial Control Systems

Related on CyberSecTool

Buying guides

Related tools